California AG Issues New Privacy Policy and “Do Not Track” Compliance Guidelines, Announces Proactive Enforcement

by Pillsbury Winthrop Shaw Pittman LLP

The California Attorney General recently released a series of guidelines to assist with compliance with the California Online Privacy Protection Act of 2003 (CalOPPA), which was amended to require new data collection and Do Not Track disclosures. These guidelines offer assistance regarding the form and content of operators’ privacy policies. The AG has stated she will actively enforce operators’ compliance with CalOPPA, including through litigation. Operators of websites and online services that are used or visited by California residents should ensure as soon as possible that their privacy policies comply with the AG’s guidelines.

California Online Privacy Protection Act’s New Requirements Regarding Data Collection and Do Not Track Disclosures.
CalOPPA, Cal. Bus. & Prof. Code §§ 22575-22579, has since 2003 required “operators”1 of commercial websites and online services that collect “personally identifiable information”2 of California residents to conspicuously post their privacy policies. An operator violates CalOPPA if its privacy policy fails to comply with the statute’s disclosure requirements either (1) knowingly and willfully or (2) negligently and materially. Cal. Bus. & Prof. Code § 22576. The Attorney General has previously filed suit for CalOPPA violations seeking injunctive relief and civil penalties under Bus. & Prof. Code § 17200, on the theory that the improper privacy policy constituted an unlawful business practice.

As of January 1, 2014, CalOPPA requires that privacy policies additionally describe (1) how the operator responds to “Do Not Track” browser signals (“DNT Signals”) or “other mechanisms” that give a consumer the ability to indicate the consumer does not want his or her personally identifiable information collected and tracked; and (2) the possible presence of other parties conducting online tracking on the operator’s website or online services. Cal. Bus. & Prof. Code § 22575(b)(5)-(6). In lieu of the first requirement to describe how the operator responds to DNT Signals, the operator can provide a “clear and conspicuous” link in the privacy policy to a “program or protocol” that offers consumers a choice about online tracking, along with a description of the program or protocol and the effects it has on participating consumers. Cal. Bus. & Prof. Code § 22575(b)(7).

The California Attorney General’s CalOPPA Recommendations for Compliance
On May 21, 2014, the Privacy Enforcement and Protection Unit (the “Privacy Unit”) of the California Attorney General’s Office issued “Making Your Privacy Practices Public,” which provides detailed, specific guidance regarding how operators of websites and online services should implement the requirements of CalOPPA as amended. These recommendations, which are summarized below, cover not only the disclosures required in operators’ privacy policies, but also the style and format of the policies.

Guidance on New Disclosure Requirements
Do-Not-Track: The operator has two options for disclosing its responses to Do-Not-Track signals. First, preferably, it can include a section in the privacy policy labeled “How We Respond to Do Not Track Disclosures” that includes a description of how it responds to DNT signals. The AG suggested describing whether the operator treats browsers sending DNT signals differently than those that do not, whether it continues to collect personal information from consumers whose browsers send DNT signals and how it uses that information. Second, the operator may provide a link to a different website that offers a protocol giving consumers a choice about online tracking. The AG views the second alternative as less transparent for consumers. However, if this alternative is employed, the link should be conspicuous, and the landing page should disclose whether the program results in stopping the collection of a consumer’s information across websites and online services over time and what the consumer must do to exercise the choice offered by the program. The privacy policy should give a brief description of what the third party program does and that it complies with CalOPPA.

Collection of personally identifiable information by third parties: The privacy policy must describe whether the operator permits third parties to conduct online tracking on the operator’s website or online services and whether those third parties are or may be engaging in tracking consumers visiting the website or service. The operator should consider whether such activity is limited to approved parties, how the operator verifies that approved parties are not allowing unauthorized parties to collect information and how the third party’s practices may differ from the operators’ practices, if at all. Of course, the operator should confirm its actual practices before making disclosures.

Guidance on Pre-2014 CALOPPA Disclosure Requirements
Scope: The privacy policy should explain whether it applies only to online data collection, or to online and offline practices, and the entities (such as subsidiaries or affiliates) to which it applies.

Availability: The privacy policy should have a recognizable, descriptive title. It should be conspicuously available to users and potential users of the operator’s website or online service using a link on the website’s homepage and pages where data is collected or the application’s platform page that is made conspicuous by its font, color or symbols.

Readability: The privacy policy language should be straightforward, plain English and non-technical or legalistic. The AG recommends short, active voice sentences, topic headings, and a format that provides easy reading, including on smaller screens.

Data collection: The privacy policy should disclose whether the operator collects personally identifiable information directly from the user or indirectly through third parties or cookies or similar technologies. The types of information collected should be reasonably specified by category. Collection of information from children under 13 should be disclosed in compliance with the Children’s Online Privacy Protection Act.

Data use and sharing: The privacy policy must explain how the operator uses the personally identifiable information it collects and under what circumstances it shares that data with different categories of entities, such as affiliates, marketing partners and others.

Individual choice and access to personal information: The privacy policy should provide clear instructions on how consumers can exercise choices regarding the operator’s collection, use, or sharing of personally identifiable information. The operator should honor those choices within a reasonable period of time. Operators should consider offering consumers the opportunity to review and correct their personal information under circumstances where the operator can verify the consumer’s identity and access authority, particularly where sensitive information is involved. Changes to personal information should of course be documented through audit logs or transaction histories.

Security safeguards: The AG recommends that privacy policies describe the security measures used to safeguard personal information in the operator’s care and the measures used to control information security practices of third parties with whom the operator shares consumers’ personal information.

Effective dates and changes to the privacy policy: The operator should state the effective date of the privacy policy and explain how consumers will be notified of changes to the privacy policy. The AG suggests that operators not rely on changes to the privacy policy posted on the website or online services as the only means of notifying consumers of material changes.

Accountability: The privacy policy should identify a point of contact for consumers with questions or concerns about privacy policies and practices, at least including the contact’s title and email or postal address and perhaps a toll-free telephone number staffed by trained personnel.

The Attorney General’s Office has indicated that it will actively enforce operators’ compliance with the Attorney General’s CalOPPA recommendations. In an interview given to The New York Times, a member of the Privacy Unit stated that the Attorney General’s Office “would review companies’ privacy policies and work with them to make sure they followed the new law. Those who don’t comply will receive 30-day warnings before facing potential litigation from the state.”3

  1. “Operator” means any person or entity that owns a website or online service operated for commercial purposes that collects and maintains personally identifiable information from a California resident who uses or visits the website or online service. “Operator” does not mean third parties who operate, host or manage, but do not own, a website or online service. Cal. Bus. & Prof. Code § 22577(c).
  2. “Personally identifiable information” means “individually identifiable information about an individual consumer collected online by the operator from that individual and maintained by the operator in an accessible form” and expressly includes (1) first and last names; (2) home or other physical addresses; (3) e-mail addresses; (4) telephone numbers; (5) social security numbers; (6) any other identifier allowing consumers to be contacted online or physically; and (7) information concerning a consumer that the operator maintains along with any of the foregoing six types of information. Cal. Bus. Prof. Code § 22577(a).
  3. Vindu Goel, California Urges Websites to Disclose Online Tracking, N.Y. Times, May 21, 2014.


DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Pillsbury Winthrop Shaw Pittman LLP | Attorney Advertising

Written by:

Pillsbury Winthrop Shaw Pittman LLP

Pillsbury Winthrop Shaw Pittman LLP on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
Privacy Policy (Updated: October 8, 2015):

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.


JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at:

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.